Cyber Challenges and Solutions for pension scheme trustees

09 October 2023

In order to effectively discharge their obligations to protect member data and scheme assets, RSM offers a suite of cyber solutions to Trustee Boards to meet their responsibilities under the forthcoming General Code from The Pensions Regulator (TPR).

This new code introduces the requirements for trustees to maintain IT systems and to consider the controls that are in place to reduce cyber risk.

The eco-system of a Pension Scheme is complex and challenging, with many 3rd parties and a significant amount of personal data processed, transmitted and stored in local and 3rd party environments throughout the lifecycle of a pension scheme. This complexity creates a challenging environment in which critical scheme information must be identified and protected.

RSM’s specialist pensions and cyber teams recognise the complex cyber challenges faced by Pension Schemes. We have designed flexible connected solutions for trustees, pension managers and those charged with governance. Our solutions will:

provide crucial visibility of risk, exposure and control effectiveness;
support you to drive proactive cyber security through developing strategies and programmes to meet your pension scheme needs;
enable you to be confident in your cyber defence; and
equip you to embed cyber resilience throughout the Pension Scheme lifecycle.

For further information please contact Stuart Leach or Elisabeth Storey.

The cyber threat challenge
Pension Scheme case study
Practical tips for success
How can RSM help?

The cyber threat challenge

Pension Scheme Trustees are concerned about the financial, operational, and reputational impact of cyber-attacks, with the ever-changing threat landscape and complex regulations adding to the challenge.

A constant threat

Due to a high volume of data movement and complexity, the pension sector is an attractive target for cyber criminals. Cyber attacks are constant, with most schemes and their third parties likely being targeted.

Feeling the pressure

Scheme members, insurers, and regulators are demanding that cyber controls are in place and are increasing their due diligence to gain assurance. This puts additional pressure on Trustees and Schemes to validate that effective controls are in place for in-house and third party operations.

A need for protection

Given the continued rise in cybercrime and breaches including against the supply chain, it is paramount that Pension Scheme Trustee Boards prioritise visibility of threats, verify controls, protect critical assets, and build resilience against cyber-attacks.

An increasing risk of attack

As Pension Scheme Trustee Boards and operational third parties rely more on data driven insights, digital storage solutions and embrace digital transformation, cyber criminals have a larger attack surface to target and take advantage of the processes and stages of the pension scheme lifecycle.

Pension Scheme case study

We provide a wide range of cyber solutions to Pension Schemes, Trustees, and their third-party eco-system. These solutions include delivery of Trustee and Scheme cyber awareness training, and cyber exercises to raise awareness of threats, controls, and accountabilities. We undertake cyber risk assessments and technical validation testing to provide visibility of risk and exposure and create sustainable strategies and controls to support Trustees and Scheme Management to manage risks and embed resilience.

Cyber Security Assessment

Engagement

Undertake an independent review of the current cyber security risk landscape for the Pension Scheme to provide visibility of the current cyber risk profile to determine if the current safeguards are adequate to protect the scheme’s assets and member data.

Approach

We worked with key stakeholders to gain an understanding of the operational context of the scheme including the cyber footprint, critical assets, and key third parties. We completed deep dive interviews and control reviews using appropriate standards such as NCSC, Cyber Essentials and NIST considering our understanding of relevant pension sector specific threats and risks.

Outcome

We produced a report detailing identified strengths and gaps contextualised to the schemes operations, threats and risks. We provided prioritised, cost-effective, pragmatic and practical recommendations to drive the cyber roadmap allowing the scheme to improve controls, reduce risk, achieve regulatory compliance and maintain visibility of control performance.

Practical tips for success

With the continued increase of cyber-attacks impacting the pension sector and the impending launch of The Pensions Regulator’s (TPR) General Code, there has been a lot said about the expectations on trustees to ensure that appropriate controls are in place to protect member’s data and assets. However, when speaking to Pension Scheme Trustee Boards and scheme managers about how to discharge these expectations, it is still far from clear.

What is expected?

Through the General Code, trustees and scheme managers are expected to have a sufficient understanding of the schemes’ cyber risk and ensure that sufficient controls are in place to minimise these risks across the entirety of the scheme’s ‘cyber footprint’.

We have seen through recent events that the spirit of the General Code takes this a step further by expecting trustees to understand and proactively warn members about pension scams and ensure that the ability to monitor for increased and unusual transfer requests is in place to identify cyber enabled fraud.

Additionally, unions representing schemes and funds impacted by recent breaches are pressing The Pension Regulator to do more to ensure that members’ pensions are safe. They have the responsibility to mitigate risks to members firmly pointing at the pension schemes, funds and their third parties.

All this leads to a heavy expectation on trustees to understand their obligations and the spirit in which these must be achieved in a challenging and complex eco-system involving many outsourced activities and significant movement of sensitive scheme data.

Practical tips for success

Tip 1: Build appropriate cyber awareness

Trustees must focus on creating and embedding cyber resilience across the entirety of their eco-system and this starts with having an appropriate level of awareness of risks and threats, understanding what ‘good’ looks like and ensuring that there are plans in place to achieve this.

Cyber awareness training should be tailored to the needs of trustees and scheme managers and be relevant to the specific operational context of the scheme including its third parties. This will enable trustees to build their knowledge and apply appropriate levels of challenge to understand the risks and exposure of scheme assets and data.

Tip 2: Understand your ‘cyber footprint’ to understand and manage risk

It is crucial that trustees have a clear understanding of data holdings including where data is located, who can access it and where they access it from. Additionally, it is important to understand if data is regularly transferred between parties. This is the schemes ‘cyber footprint’.

Trustees should ensure that data is appropriately classified along with understanding its value to cyber criminals. Following which potential threats to scheme assets and data should be determined by consulting with their third parties as this will form a significant part of the schemes’ threat landscape. Additionally, trustees should seek advice from trusted advisers to provide a relevant view of the pension sector specific cyber threat landscape.

By adding the above output to a risk register, trustees can demonstrate an understanding of cyber risk informed by criticality of assets and scheme data, data location by third party, exposure, and likely threats.

Tip 3: Challenge and gain assurance from your third parties

Armed with a risk register including details of scheme assets and data, trustees have a starting point to assess the criticality of third parties and the order in which they should seek assurance.
Wherever possible assurance should be driven by a ‘trust but verify’ approach. Whilst many third parties will be able to provide appropriate cyber security accreditations, it is important to ensure that the scope of coverage includes all services used by the scheme. If gaps in coverage exist, trustees should seek additional assurance that risks associated to out-of-scope services or controls are being appropriately managed.

The cyber threat landscape and therefore cyber risks are ever evolving and as such the scheme and its third parties will need to be dynamic in identifying changes to cyber risks. Trustees should establish a consistent set of reports and metrics that allow for trends against key risks to be tracked through regular reporting. This will support key parties to stay abreast of emerging issues that could lead to increased exposure of scheme assets or data.

Tip 4: Set clear expectations and be prepared to respond to a cyber-attack

To ensure that clarity of expectation is set for all parties, trustees should create key relevant and practical policies including scheme risk management, incident response, cyber security control requirements, and roles and responsibilities.

When creating policies, trustees should ensure they are appropriate to the operational context of the scheme and define requirements for cyber security that are consistent and enforceable across all parties that hold or access scheme assets and data.

In the context of outsourced activity, it is crucial that trustees and scheme managers understand their key third parties’ cyber incident response plans and how these interlink with trustees plans.

In the event of a cyber-attack, it is likely that multiple parties will be impacted. As such, clarifying priority actions, decision points, information flow, and notification requirements through cyber-attack exercises is vital for the scheme to swiftly resume operations, and maintain trust and reputation with scheme members, regulators and third parties.

How can RSM help?

We recognise the complex cyber challenges faced by Pension Scheme Trustee Boards. We have designed flexible connected solutions that provide crucial visibility of risk, exposure, control effectiveness and enable the achievement of regulatory expectations.

We work with trustees to build awareness and drive proactive cyber security by developing strategies that create confidence in cyber defence across the scheme and its third parties’ environments.

RSM Pension sector cyber solutions

Cyber awareness training: We provide training that helps trustees understand regulatory expectations, gain an appropriate level of awareness of pension sector risks and threats, understand what ‘good’ cyber looks like and the steps required to achieve it.

Cyber risk assessment: We undertake independent reviews of the schemes cyber risk landscape to provide visibility of the current risk profile based on the schemes ‘cyber footprint’ and determine if the current safeguards are adequate to protect assets and member data.

Third party assurance: We create third-party assurance frameworks establishing criteria to surface your most critical third parties and a review approach based on exposure of scheme assets and data. To enable trustees to maintain visibility of risk, we establish standardises reporting requirements for key third parties to provide regular updates on cyber risks, incidents, identified trends and cyber controls.

Cyber security policy pack: We create key practical policies for the scheme to ensure that clarity of expectation is set for all parties. This provides confidence that policies and response plans have been appropriately designed in accordance with industry and regulatory expectations.

Cyber-attack exercise: We create and deliver tailored scenario driven exercises that simulate a real-world cyber-attack. We draw out key themes and decision points allowing trustees to experience the pressure, challenge and decisions that need to be made as a cyber-attack unfolds.